b'                \xc2\xa0\n\n                \xc2\xa0\n\n                \xc2\xa0       U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n                        OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                        Results of Technical Network\n                        Vulnerability Assessment:\n                        EPA\xe2\x80\x99s Region 1\n                        Report No. 12-P-0518                    June 5, 2012\n\n\n\n\nScan this mobile code\nto learn more about\nthe EPA OIG.\n\x0cReport Contributors:\t                              Rudolph M. Brevard\n                                                   Warren Brooks\n                                                   Scott Sammons\n                                                   Kyle Denning\n\n\n\n\n  Hotline \n\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                                 12-P-0518\n                                                                                                             June 5, 2012\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review              Results of Technical Network Vulnerability\nWe sought to assess the\n                                    Assessment: EPA\xe2\x80\x99s Region 1\nsecurity configurations of the\nU.S. Environmental Protection        What We Found\nAgency\xe2\x80\x99s (EPA\xe2\x80\x99s) Region 1\nwireless network infrastructure.    Our vulnerability assessments of Region 1\xe2\x80\x99s wireless network infrastructure\nWe also sought to conduct           found no security weaknesses. However, our vulnerability testing of networked\nnetwork vulnerability testing of    resources located at the Region 1 facility identified Internet Protocol addresses\nthe Region 1 Local Area             with potentially 18 high-risk and 166 medium-risk vulnerabilities. Regional and\nNetwork to identify resources       headquarter offices manage resources located in Region 1 that contain these\nthat contained commonly             weaknesses. The Office of Inspector General (OIG) met with EPA information\nknown high-risk and medium-         security personnel from the respective offices to discuss the findings. EPA\nrisk vulnerabilities.               information security personnel acknowledged the existence of the identified\n                                    security weaknesses and began immediate remediation of some of these issues.\nBackground                          If not resolved, these vulnerabilities could expose EPA\xe2\x80\x99s assets to unauthorized\n                                    access and potentially harm the Agency\xe2\x80\x99s network.\nWe conducted this audit as part\nof the annual review of EPA\xe2\x80\x99s        What We Recommend\ninformation security program\nas required by the Federal          We recommend that the Senior Information Officials within Region 1 and the\nInformation Security                Office of Environmental Information:\nManagement Act. We\nconducted network                       \xef\x82\xb7\t Provide the OIG a status update for all identified high-risk and medium-\nvulnerability testing in                   risk vulnerability findings within 30 days of this report.\nFebruary 2012 to identify any           \xef\x82\xb7\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated\ncommonly known network                     Security Self-Evaluation and Remediation Tracking system for all\nvulnerabilities and to present             vulnerabilities according to Agency procedures within 30 days of this\nthe results to the appropriate             report.\nEPA officials, who can then             \xef\x82\xb7\t Perform a technical vulnerability assessment test of assigned network\npromptly remediate or                      resources within 60 days to confirm completion of remediation activities.\ndocument planned actions to\nresolve the weaknesses.             The detailed testing results have already been provided to Agency\n                                    representatives. Due to the sensitive nature of the report\xe2\x80\x99s technical findings, the\n                                    technical details will not be made available to the public.\n\nFor further information, contact     Planned Agency Corrective Actions\nour Office of Congressional and\nPublic Affairs at (202) 566-2391.   Region 1 remediated all high-risk vulnerabilities discovered by our vulnerability\nThe full report is at:              testing of networked resources. Additionally, Region 1 acknowledged the\nwww.epa.gov/oig/reports/2012/       existence of the additional vulnerabilities that we identified and began mitigation\n20120605-12-P-0518.pdf              activities related to these risks.\n\x0c                       UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                    WASHINGTON, D.C. 20460\n\n\n                                                                                THE INSPECTOR GENERAL\n\n\n\n\n                                           June 5, 2012\n\nMEMORANDUM\n\nSUBJECT:\t Results of Technical Network Vulnerability Assessment:\n          EPA\xe2\x80\x99s Region 1\n          Report No. 12-P-0518\n\n\nFROM:          Arthur A. Elkins, Jr.\n\nTO:\t           Fred Weeks\n               Acting Senior Information Official\n               Region 1\n\n               Renee Wynn\n               Principal Deputy Assistant Administrator and Senior Information Official\n               Office of Environmental Information\n\n\nThis is our final report on the above subject audit conducted by the Office of Inspector General\n(OIG) of the U.S. Environmental Protection Agency (EPA). The site assessment was conducted\nin conjunction with our annual audit of EPA\xe2\x80\x99s information security program as required by the\nFederal Information Security Management Act. This report provides the summary of our security\ntesting of networked resources located at EPA\xe2\x80\x99s Region 1 office. Our test disclosed that network\nresources at the Region 1 office contained potentially 18 high-risk and 166 medium-risk\nvulnerabilities. Upon analysis of the testing results, we found that both regional and headquarters\noffices are responsible for managing the resources located in Region 1 that contain these\nweaknesses. We provided your office representatives with the technical results during our site\nvisit in order to facilitate immediate remediation actions. All 18 high-risk vulnerabilities were\nremediated before the issuance of this report.\n\nWe performed this audit work from February through May 2012 at EPA\xe2\x80\x99s Region 1 offices in\nBoston, Massachusetts. We performed this audit in accordance with generally accepted\ngovernment auditing standards. These standards require that we plan and perform the audit to\nobtain sufficient and appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on the audit objectives. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusions.\n\n\n\n12-P-0518                                                                                          1\n\x0cWe conducted testing to identify the existence of commonly known vulnerabilities using a\ncommercially available network vulnerability assessment tool recognized by the National\nInstitute of Standards and Technology. We interviewed EPA personnel responsible for managing\nthe network resources located in Region 1. We reviewed relevant EPA policies to obtain an\nunderstanding of the Agency\xe2\x80\x99s Automated Security Self-Evaluation and Remediation Tracking\n(ASSERT) system used for recording identified weaknesses. We tested the Internet Protocol\naddresses associated with network resources located in the Region 1 office. We used the risk\nratings provided by the vulnerability software to determine the level of harm a vulnerability\ncould cause to a networked resource and accepted the results from the software tool as the level\nof risk to EPA\xe2\x80\x99s network. Upon follow-up with your office representatives, they acknowledged\nthe existence of the vulnerabilities and stated that some mitigation activities had already begun\nrelated to these risks.\n\nWe also conducted testing of Region 1\xe2\x80\x99s wireless infrastructure to identify any possible\nconfiguration weaknesses using a commercially available wireless scanning tool. Specifically,\nwe tested to identify whether any unauthorized wireless devices existed on the region\xe2\x80\x99s network.\nWe also tested to determine whether the wireless encryption protocols being used on the region\xe2\x80\x99s\nwireless local area network were sufficient to secure it. We found no weaknesses during either of\nthese tests.\n\nRecommendations\n\nWe recommend that the Senior Information Officials within Region 1 and the Office of\nEnvironmental Information:\n\n       1.\t Provide the OIG a status update for all identified high-risk and medium-risk\n           vulnerability findings.\n\n       2.\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security Self-\n           Evaluation and Remediation Tracking system for all vulnerabilities according to\n           Agency procedures.\n\n       3.\t Perform a technical vulnerability assessment test of assigned network resources\n           within 60 days to confirm completion of remediation activities.\n\nAction Required\n\nPlease provide written responses to this report within 30 calendar days. You should include a\ncorrective actions plan for agreed-upon actions, including milestone dates.\n\nDue to the sensitive nature of the report\xe2\x80\x99s technical findings, the technical details are not\nincluded in this report and will not be made available to the public. The OIG plans to post on the\nOIG\xe2\x80\x99s public website the corrective action plans that you provide to us that do not contain\nsensitive information. Therefore, we request that you provide the response to recommendation 1\nin a separate document, and we will not make that response available to the public if it contains\nsensitive information.\n\n\n12-P-0518                                                                                        2\n\x0cYour responses should be provided as Adobe PDF files that comply with the accessibility\nrequirements of Section 508 of the Rehabilitation Act of 1973, as amended. Except for your\nresponse to recommendation 1, which will not be posted if it contains sensitive information, your\nresponses should not contain data that you do not want to be released to the public; if those\nresponses contain such data, you should identify the data for redaction or removal.\n\nIf you or your staff have any questions regarding this report, please contact Patricia H. Hill,\nAssistant Inspector General for Mission Systems, at (202) 566-0894 or hill.patricia@epa.gov; or\nRudolph M. Brevard, Product Line Director, Information Resources Management Assessments,\nat (202) 566-0893 or brevard.rudy@epa.gov.\n\n\n\n\n12-P-0518                                                                                       3\n\x0c                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                    RECOMMENDATIONS                                                               POTENTIAL MONETARY\n                                                                                                                                   BENEFITS (in $000s)\n\n    Rec.    Page                          Subject                          Status1         Action Official            Planned     Claimed    Agreed-To\n    No.      No.                                                                                                     Completion   Amount      Amount\n                                                                                                                        Date\n\n     1        2     Provide the OIG a status update for all identified       U       Senior Information Officials,\n                    high-risk and medium-risk vulnerability findings.                 Region 1 and the Office of\n                                                                                     Environmental Information\n\n     2        2     Create plans of action and milestones in the             U       Senior Information Officials,\n                    Agency\xe2\x80\x99s Automated Security Self-Evaluation and                   Region 1 and the Office of\n                    Remediation Tracking system for all vulnerabilities              Environmental Information\n                    according to Agency procedures.\n\n     3        2     Perform a technical vulnerability assessment test of     U       Senior Information Officials,\n                    assigned network resources within 60 days to                      Region 1 and the Office of\n                    confirm completion of remediation activities.                    Environmental Information\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n12-P-0518                                                                                                                                                4\n\x0c                                                                                Appendix A\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nRegional Administrator, Region 1\nPrincipal Deputy Assistant Administrator for Environmental Information and\n       Senior Information Official\nActing Senior Information Official, Region 1\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nSenior Agency Information Security Officer\nAudit Follow-Up Coordinator, Office of Environmental Information\nAudit Follow-Up Coordinator, Region 1\n\n\n\n\n12-P-0518                                                                                5\n\x0c'